Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

NSA Director: We Need Frameworks for Cyber, Circumventing Crypto

NSA director Mike Rogers spoke about creating legal frameworks for crypto-subversion and law enforcement intelligence gathering at Cybersecurity for a New America.

WASHINGTON, D.C.—In a conference-facing discussion with CNN’s Jim Sciutto this morning, NSA director and commander of U.S. Cyber Command, Mike Rogers, said legislators need to create a legal framework outside the NSA and FBI’s control that would establish norms of behavior for law enforcement and intelligence-gathering organizations in the U.S. and abroad.

Sciutto began by asking Rogers about the national security community’s role in responding to cyberattacks. Rogers said that the key for the NSA is to ensure that his agency’s capabilities are deployed in a lawful, ethical and principled manner, as established by the Congress and the president.

If cyber is going to be a fundamental component of the world we’re living in, Rogers said, then over time we need get to the idea of norms of behavior, deterrents and response thresholds. We are not mature, he said; we are not there yet.

As it stands, Rogers explained, we’re losing somewhere between $100 billion and $400 billion worth of intellectual property to theft each year. This, he said, is of particular concern to the Department of Defense, which watches as its contractors networks are regularly compromised by adversaries.

Rogers was typically vague on specifics, but he did wade briefly into the pesky issue of communications integrity. Like FBI director James Comey before him, Rogers said there needs to be a way for his and other agencies to access encrypted communications. Yahoo CISO, Alex Stamos, asked the NSA director that if his company had to provide backdoors for the NSA, then would it have to do the same for the People’s Liberation Army or other national governments.

Famed cryptographer Bruce Schneier went a step further in a later discussion, explaining that we cannot prevent criminals and foreign governments from accessing encrypted communications while allowing U.S. law enforcement to do so. This, he said, is technically impossible.

Rogers pointedly distanced himself from the conflation that legal access to encrypted communications would constitute a backdoor. Without providing a competing euphemism or an actual explanation for how such a process would actually work, Rogers simply said that we need to create a legal framework to allow such access for investigatory and intelligence gathering purposes.

“I understand that there are going to be a lot of different perspectives out there,” Rogers said. “If we are willing to sit down and really have a conversation then I think we can get where we need to be.”

Sciutto asked Rogers if losing the metadata collection authorities granted by Section 215 of the Patriot Act would directly endanger U.S. citizens. Rogers replied that the loss of Section 215 would certainly make his and the broader NSA’s job more difficult, but also noted that directly correlating threats fulfilled to metadata collected is like saying fingerprints solve crimes. In other words, metadata, like fingerprints, are merely one part of a far larger intelligence gathering or investigatory system.

The former admiral also claimed that metadata collection generates value for the nation. He qualified that by explaining that the NSA’s job, with regard to metadata, is foreign intelligence intensive. The NSA’s job, he said, is about figuring out how we connect overseas information with threats to the U.S. without violating the rights of the citizens in the U.S.

“We are a foreign intelligence organization,” he said. He would go on to explain that the NSA doesn’t focus on U.S. surveillance or homegrown threats, though the NSA is partnered with the FBI in the event that they see anything of interest emerging on the homefront.

“Snowden has had a material impact on our ability to perform counterterror operations,” Rogers argued. “Anyone who says otherwise doesn’t know what they are talking about.”

During the Rogers discussion, Schneier posed one of his favorite questions from the crowd: how do we assure people that U.S. tech products are safe?

“Thats why we need a framework,” Rogers replied. “This is a legitimate question. ‘What is the economic impact?’ With policy and laws we can get to a better place.”

Via Twitter, American Civil Liberties Union chief technologist Chris Soghoian asked Rogers if he believes that foreign governments are in the business of spying on the cell-phones of U.S. citizens. In a moment of rare directness, Rogers said that he does believe that foreign governments are attempting to gather data from the devices of Americans.

Sciutto of CNN asked if the NSA had ever collected communications of metadata information about himself. Rogers responded that it is a matter of law to do focused collection against a U.S. person. He said the NSA would have to get permission by showing a court a legal basis for why it needs such information.

“It can’t just be, ‘we don’t like journalists,'” Rogers said. “We need a court order,” he said while admitting that the NSA would not have to inform the target of their surveillance about their eavesdropping activities.

Rogers admitted that the national security community is not yet where it needs to be in terms of securing government, corporate and critical infrastructure networks. Part of the problem, he explained, is that we are trying to defend a network that was designed without anyone really realizing that data theft would ever become a problem. Another part of the problem, he said, is that we are over-complicating cyber, bureaucratically speaking. The government needs to work to simplify cyber, he said.

Interactions like this, Rogers said in conclusion, and his own private conversations with academics in particular are part of the process for building a the framework sought by the NSA and other national law enforcement agencies. However, he urged the crowd to spur similar conversations with their respective legislative representatives.

Discussion

"legislators need to create a legal framework outside the NSA and FBI’s control that would establish norms of behavior for law enforcement and intelligence-gathering organizations in the U.S. and abroad."
I agree. However, I think the norm should be that my crypto has no built-in circumvention measures. Because a citizen should never have to prove to the government -- the people -- that his or her intentions are benign.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.